Deployment Task

Determining the Image Status on the Host

Deployment Steps

While connected to the Enforcer host, use the following command to determine whether or not the images on the system are seen by the Enforcer as:

  • Registered
  • Unregistered
  • Whitelisted
  • Blocked

Command: /opt/aquasec/slk images show -a 

$ /opt/aquasec/slk images show -a 
IMAGE NAME                               IMAGE ID       LOCAL DIGEST   SERVER DIGEST  IMAGE PROFILE              STATUS
alpine:latest                            196d12cf6ab1   32293403fd90   32293403fd90                              registered
alpinesecrets:latest                     c67dd1eb6034   32293403fd90   32293403fd90                              registered
amazon/amazon-ecs-agent:latest           6d5108578d35   1e930fb9a23d   1e930fb9a23d                              registered, blocked
amazon/amazon-ecs-agent@sha256:d8708ef2e fec2b2925d04   fb9ba4d99ddf                                             unregistered

The images on lines 3 and 4 have been registered and scanned by Aqua.  They are approved to run either by a whitelist, or they are not in violation of an Image Assurance policy. 

The image on line 5 has been registered and scanned by Aqua, but this image is in violation of a policy, and therefore it is blocked.

The image on line 6 has not been scanned by Aqua.  If the Image Assurance policy has been configured to block unknown/unregistered images, then this image would be blocked.